Hi all,
i am a little bit confused at the moment. I’m trying to build a database and cookie-based login system.
After i experimented a bit and read http://www.yiiframework.com/forum/index.php?/topic/11858-security-implications-with-cwebuser/ i started to build a system like this:
-
Use two cookies:
-
First with encrypted username/userId
-
Second with an information hash which is unique for this user
-
On autoLogin, the username from cookie one is decrypted, and the user information is fetched from database
-
From the user info a hash is build, which is compared to the hash from cookie two.
-
If the hashes are equal, the user is logged in.
Now, as i understood the CWebUser/CUserIdentity concept on login, all information stored as "states" in user identity will be stored in the cookie.
So i tried to see which states are set by default, by using $identity->getPersistentStates(), which returns an empty array.
But when i login the user, all data from my user identity is stored in plain text in the cookie. So i think i don’t get the concept here?!
How can i control what is stored in the cookie on login?
In my scenario, would this only be the encrypted username?
How would i integrate the second cookie?
I appreciate every hint.
Thanks in advance, best regards,
Florian